Qualys. 


Qualys laC Security Integration with GitLab 


In the current continuous integration and continuous deployment (CICD) environment, 
the security scans are conducted on cloud resources after deployment. As a result, you 
secure your cloud resources post deployment to respective Cloud accounts. 


With an introduction of Infrastructure as Code (IaC) security feature by Qualys CloudView, 
you can now secure your IaC templates before the cloud resources are deployed in your 
cloud environments. The IaC Security feature will help you shifting cloud security and 
compliance posture to the left, allowing evaluation of cloud resource for 
misconfigurations much early during development phase. 


CloudView offers an integration with GitLab to secure GitLab repositories using a pipeline 
template, that can be used to scan your IaC templates from GitLab repositories. It 
continuously verifies security misconfigurations against CloudView security controls and 
displays the failed checks for each run. You have a continuous visibility of security posture 
of your IaC Templates at GitLab Pipeline and plan for remediation. Follow this guide for 
more details. 


For supported templates, other integrations, and features of Cloud IaC Security, refer to 
CloudView User Guide and CloudView API User Guide. 
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Scanning laC Templates at GitLab 


The GitLab integration allows you to perform IaC scans at the GitLab repositories on the 
push and merge requests. It checks the security issues and displays the failed checks ina 
vulnerability report. We provide you with a pipeline template and options that can be 
configured to run based on various triggers. 


You can perform IaC scan on either of the following: 
- the entire repository for the branch where the manual/scheduled event was performed. 
- the templates that were changed or newly added to the branch. 


The results are generated within GitLab pipeline output that provide you with proactive 
visibility into the security of your laC templates residing in GitLab repositories. 


Let us see the quick workflow: 
Pre-requisite 

Configure Environment Variables 
Configure Pipeline 

Trigger Scan 


Understanding Scan Output 


Pre-requisite 
Ensure that you have valid subscription of Qualys CloudView (Cloud Security Assessment) 
app. 


Before you trigger IaC scans in GitLab, ensure that you configure environment variables 
that are used in the pipeline. 


N 
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Configure Environment Variables 
On GitLab console, go to Setting > CI/CD > Variables. 


| Variables 


Variables store information, like passwords and secret keys, that you can use in job scripts. Learn more. 
Variables can be: 


e Protected: Only exposed to protected branches or tags. 
e Masked: Hidden in job logs. Must match masking requirements. Learn more. 


Environment variables are configured by your administrator to be protected by default. 


Type T Key Value Protected Masked Environments 
Variable / BREAK ON_ERROR inininieieieieiaiainininjeieieinininiajai x x All (default) 2 
Variable QUALYS_PASSWORD *## HEHEHE iin x {v All (default) l 
Variable QUALYSURL = ~~ ***** oiioiaiaieiniaieiniaiaiaiaiaia x x All (default) 2 
Variable © QUALYS_ USERNAME AE x [v All (default) 2 | 
| 
| Reveal values 

Provide the required details for environment variables. 

Variable Description 

QUALYS_URL Qualys platform URL. To know about your Qualys platform URL, click 

here. 


QUALYS_USERNAME Qualys username 
QUALYS_PASSWORD Qualys password 


BREAK_ON_ERROR Set this variable as false if you do not want the pipeline to fail on any 
failed checks in IaC scan. Else, set this as true or do not add this 
variable. 
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Configure Pipeline 

We provide you with a pipeline template that you can use to scan the repository. 
To use the template: 

1. In GitLab, navigate to your repository. 

2. Click + > New file. 

3. Select the .gitlab-ci-yml from the Select a template type drop-down. 

When you select the template type, the Apply a template drop-down is available. 


New file 
P main | / | Filename gitlab-ciyml Apply a template >= No wrap 
1 qualys x 


General 


Qualys-laC-Security 


4. Select the Qualys-laC-Security from the Apply a template drop-down. 
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Once you select the template, the contents of the file are automatically loaded. 


New file 


P main 


33 


/ | .gitlab-ciyml .gitlab-c.yml 


- test 
- qualys_iac_scan 
- deploy 


qualys_iac_sast: 
stage: qualys_iac_scan 
image: 
name: qualys/qiac_security_cli: latest 
entrypoint: [""] 
script: 
- sh /home/qiac/gitlab.sh 
artifacts: 
name: “qualys-iac-sast-artifacts” 
paths: 
- qualys_iac_ci_result.json 
reports: 
sast: gl-sast-qualys-iac-ci-report.json 


Commit message Add new file 


Target Branch | main 


3= No wrap 


Commit changes Cancel 


Alternatively, you can also create the .gitlab-ci.yml file in the root directory of your 


repository, with the content provided. 


Contents of Pipeline Script (.gitlab-ci.yml) 


stages: 


- build 

= test 

- qualys_iac_scan 
- deploy 


qualys iac_sast: 
stage: qualys_jiac_ scan 


image: 


name: qualys/qiac_security cli:latest 


entrypoint: [""] 
script: 


- sh /home/qiac/gitlab.sh 


artifacts: 


name: "qualys-iac-sast-artifacts" 


paths: 


- qualys iac_ci_result.json 


reports: 


sast: gl-sast-qualys-iac-ci-report 


-json 
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Trigger Scan 

Once you have configured the pipeline, you can trigger a scan in the following ways: 
Trigger Scan (Automatically) 

Trigger Scan (Manually) 


(ag 


Trigger Scan (Scheduled) 


Trigger Scan (Automatically) 


= 


The IaC scan is automatically triggered on every push request and merge request. Once 
the pipeline is configured, it is automatically executed, and the scan is triggered with 
every push request and merge request. With every such action, the committed or merged 
files that were added to the branch are scanned. 


Trigger Scan (Manually) 
You could manually trigger a scan for the entire repository. 


1. In GitLab, navigate to your project. 
2, Click CI/CD > Pipelines, 
3. Click Run pipeline. 


The Run pipeline screen is displayed. 
Run pipeline 


Run for branch name or tag 


main { 


Variables 


| Variable $ Input variable key Input variable value 


Specify variable values to be used in this run. The values specified in CI/CD settings will be used by default. 


Run pipeline Cancel 


4. In the Run for branch name or tag field, select the branch or tag for which you want to 
trigger the scan. 


5. Click Run pipeline. 


The scan is initiated on all the files in the selected branch of your repository. 


Trigger Scan (Scheduled) 
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You could schedule the IaC scans to be executed at a scheduled time at specific intervals. 


1. In GitLab, navigate to your project. 


2. Click CI/CD > Schedules. 
3. Click New schedule. 


The Schedule a new pipeline screen is displayed. 


Schedule a new pipeline 


Description 


| Qualys laC Security Scan Schedule 


Interval Pattern 

© Every day (at 6:00pm) 

© Every week (Thursday at 6:00pm) 
© Every month (Day 14 at 6:00pm) 


$ ) Custom ( Cron syntax ) (2) 


018*** 


Cron Timezone 


UTC 


Target Branch 


main 


Variables 


Variable $ | | Input variable key | 


Input variable 


Activated 


Active 


Save pipeline schedule Cancel 


4. Enter the description for the new schedule. 


5. Select the required option from Interval Pattern and add appropriate value in the field. 


Note: The schedule timing is configured with cron notation. 


6. Select the relevant timezone from the Cron Timezone drop-down. For example, UTC. 


7. Select the branch on which you want to trigger the scan from the Target Branch drop- 


down. 


8. Click Save pipeline schedule. 
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In the schedules list page, you can see a list of the pipelines that are scheduled to run. The 
next run is automatically calculated by the GitLab scheduler. 


All 3 Active 3 Inactive 0 

Description Target 
Qualys laC Security Scan Schedule Y main 
QlaC Scan ¥ gitleb_ga 
test Y main 


Last Pipeline 


© #466976969 


© #466732431 


© #466506264 


Next Run 


in 22 hours 


in 18 hours 


in 8 hours 


FA c | 


New schedule 
ara © | 


> | Take ownership “Bi 


Understanding Scan Output 


Once the pipeline is executed successfully, you can view the results on the Security tab of 


completed pipeline job. 


To download the report, click Download results. 


GCPMySqIDBinstance template 

© 1 job for main in 41 seconds (queued for 1 second) 

Rp Ge 

© 5332690e 

T) No related merge requests found. 

Pipeline Needs Jobs 1 Tests 0 Security 

‘Scan details 

sast 

Severity Tool 

All severities bo All tools 

Oo Severity Vulnerability 

D ew pana 

O enh ie ppa 
O enm Daanan 
D @ High 

o ém 


21 vulnerabilities 


rypted at rest (default is unencrypted) 
fait 

rest (default is unencrypted) 

tored in Aurora is securely encrypted at rest 

zon EMR clusters security groups are not open to the world 

TETE 


Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 
— TFAL 


identifier 


Qual 


Qual 


Qual 


Qual 


Quah 


ys lac Scan 


ys la Scan 


ys laC Scan 


ys lac Scan 


ys laC Scan 


Hide details 
cb, Download results v 
Hide dismissed 
Tool 
ofo 
sast AG 
sast 
aA ofo 
sast 
A [olals 
sast 
f folele 
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To view the vulnerabilities reported by Qualys IaC Security in all GitLab pipelines, go to 
Security & Compliance > Vulnerability Report. 


Vulnerability Report Ê Export 
The Vulnerability Report shows the results of the latest successful pipeline on your project's default branch, as well as vulnerabilities from your latest container scan. Learn more. 
Development vulnerabilities 72 Operational vulnerabilities 0 
Last updated 7hoursago #467451901 
@ Critical @ High V Medium ® Low © Info @ Unknown 
0 45 25 0 0 2 
Status Severity Tool Activity 
Needs triage +1 more { All severities { All tools x All activity {~ 
O Detected Status + Severity Description Identifier Tool Activity 
Need Ensure “local_infile" database flag for Cloud SQL - Mysql instance 
O 2022-02-09 besg à @ High is set to "off" Qualys !aC Scan SAST 
mge: /GCPMySqlDBinstanceFail:tf1 
Need Ensure that MySQL Database Instance does not allows root login 
O 2022-02-09 E $ @ High from any Host Qualys laC Scan SAST 
"age /GCPMySqlDBInstanceFail:tf:1 
Need Ensure that Cloud SQL - Mysql database Instances are not open t 
O 2022-02-09 es A @ High o the world Qualys laC Scan SAST 
nage /GCPMySqlDBInstanceFail:tf:1 
Needs Disable RDP access on Network Security Groups from Internet (A 
O 2022-02-09 Triage @ High NY IP) Qualys laC Scan SAST 
iii /Azure-NSG1.json:7 
Need Ensure Athena Database is encrypted at rest (default is unencrypt 
O 2022-02-09 e @ High ed) Qualys laC Scan SAST 
'age /aws_athena_database.tfplanjson:- 
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You can click a vulnerability to view the details of the vulnerability. 


Description 


Severity: @ High 
Tool: SAST 


Scanner: Qualys laC 


Location 


File: /GCPMySqIDBinstanceFail.tf1-25 


Identifiers 


e Qualys laC Scan 


Linked issues@® Do | + 


Detected 17 hours ago in pipeline 466984997 


| Needs triage Detected 17 hours ago in pipeline 466984997 


Ensure "“local_infile" database flag for Cloud SQL - Mysql instance is set to "off" 


Ensure “local_infile" database flag for Cloud SQL - Mysql instance is set to "off" 


Status | Needs triage ~ 


Create issue 


To view the security dashboard, go to Security & Compliance > Security Dashboard. 


Security Dashboard 


30 


2022-01-13 2022-01-16 2022-01-19 


= Critical == High == Medium == Low 


2022-01-22 


== Unknown 


Vulnerabilities 
Y 
S 


2022-01-25 


= Info 


2022-02-06 


2022-01-28 2022-01-31 2022-02-03 


o o 


2022-02-03 


For details on elements in the output format, refer to Secure IaC section in CloudView API 


User Guide. 
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